Have I Been Pwned introduces a subscription system that allows large companies to check whether email domains have been involved in a data breach. A free variant will remain available where a maximum of ten compromised email addresses are allowed.
Until now, looking up an email address in the database of twelve billion records was completely free, even for parties who wanted to check an entire domain. HIBP founder Troy Hunt, on the other hand, writes that specific domain searches are very expensive. That is why he wants companies to pay for bulk searches from now on.
Domains that have been pwned up to ten email addresses can still use the service for free. That would be 60 percent of all domains within the HIBP database. The remaining 40 percent, divided into categories of 10 percent each of all domains, must pay roughly $4, $17, $29, or $115 per month to list a certain number of leaked email addresses per month, depending on the subscription system. subscription.
The revamped domain search page states that customers must first prove they manage a specified domain, after which they will be given access to a special dashboard. Here they can view the information provided. Customers receive an e-mail notification when new e-mail addresses within the specified domain appear in a new database. HIBP also offers customers a domain search API, which works slightly differently than the public API for regular email addresses.
In its terms of use, HIBP says there is a special regulation for what it calls “domain creep.” In principle, customers are entitled to a limited number of ‘breached addresses’. If new email addresses appear in data breaches and would actually be outside of the current plan, customers have until the next billing date to upgrade the plan.
| Subscription | Maximum leaked email addresses | Price per month* |
| Pwned 0 | Up to 10 | Free |
| Pwned 1 | Up to 25 | $3.95 |
| Pwned 2 | Up to 100 | $16.95 |
| Pwned 3 | Up to 500 | $28.50 |
| Pwned 4 | Unlimited | $115 |
